Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 469984 (CVE-2013-2065) - <dev-lang/ruby-1.9.3_p429 : DL and Fiddle Tained Object Handling Vulnerability (CVE-2013-2065)
Summary: <dev-lang/ruby-1.9.3_p429 : DL and Fiddle Tained Object Handling Vulnerabilit...
Alias: CVE-2013-2065
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2013-05-15 18:36 UTC by Agostino Sarubbo
Modified: 2014-02-01 21:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-15 18:36:39 UTC
From ${URL} :

A vulnerability has been reported in Ruby, which can be exploited by malicious people to bypass 
certain security restrictions.

The vulnerability is caused due to the DL and Fiddle modules not properly verifying the $SAFE level 
when handling certain objects and can be exploited to pass tainted strings to system calls.

The vulnerability is reported in the following versions:
* All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 426
* All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 195

Update to version 1.9.3 patchlevel 426 or 2.0.0 patchlevel 195.

Provided and/or discovered by
The vendor credits Vit Ondruch.

Original Advisory

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev Security 2013-05-16 07:19:30 UTC
I've just added ruby 1.9.3 p492. Given that there are also other bug fixes and changes, I would suggest to hold off stabilization for a few days to see if any issues surface.
Comment 2 Hans de Graaff gentoo-dev Security 2013-05-19 07:19:22 UTC
I haven't seen any regressions, so let's go ahead and mark this version stable.

Comment 3 Agostino Sarubbo gentoo-dev 2013-05-19 13:34:18 UTC
Arches, please test and mark stable:                                                                       
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-05-19 14:09:07 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2013-05-19 15:06:38 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-05-19 15:07:54 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-05-20 12:49:12 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-20 17:20:17 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-05-25 07:59:09 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-05-25 14:28:28 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-05-25 20:26:29 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-05-25 20:47:24 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-05-26 06:42:25 UTC
s390 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-06-09 15:59:11 UTC
sh stable
Comment 15 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 04:05:14 UTC
GLSA vote: no.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 20:43:41 UTC
CVE-2013-2065 (
  (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0
  before 2.0.0 patchlevel 195, do not perform taint checking for native
  functions, which allows context-dependent attackers to bypass intended $SAFE
  level restrictions.
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-01 21:29:46 UTC
GLSA vote: no. 

Closing as [noglsa]